Using Workflow's HTTP Request Action to Work With IdentityNow APIs

Purpose
Show you how to use Workflow’s HTTP Request Action to Work With IdentityNow APIs.

Configuration Steps

  • Get a Personal Access Token (PAT) to call IdentityNow APIs.
  • Trigger a workflow when an identity’s lifecycle state changes.
  • Add a workflow action to get an identity’s AD account.
  • Add a workflow action to send an email with AD account info.

Get a Personal Access Token (PAT) to call IdentityNow APIs.

  1. Select your name in the top-right corner.
  2. Select the Preferences menu.
  3. Select the Personal Access Tokens menu.

  1. Copy your Secret and Client ID into a safe place (you’ll need this later).

Trigger a workflow when an identity’s lifecycle state changes.

Add an Identity Attributes Changed trigger and set Attribute to Filter: cloudLifecycleState.

Add a workflow action to get an identity’s AD account.

Add an HTTP Request action and set the following attributes (leave all other fields blank):

  • Authentication Type: OAuth 2.0 - Client Credentials Grant
  • Token URL: https://TENANT.api.identitynow.com/oauth/token, replacing TENANT with your tenant name
  • Client ID: Obtained above
  • Client Secret: Obtained above
  • Credential Location: Header
  • Request URL: https://TENANT.api.identitynow.com/v3/accounts, replacing TENANT with your tenant name
  • Query Parameters:
filters:identityId eq "{{$.trigger.identity.id}}" 
filters:sourceId eq "<SOURCE ID>" // ID for your Active Directory source.
  • Method: GET
  • Request Content Type: JSON

Add a workflow action to send an email with AD account info
Add a Send Email action and set the following attributes (leave all other fields blank/default):

  • Recipient Email Address: an email address of your preference
  • Subject: Lifecycle State Changed, Check AD Account
  • Body:
    Dear Admin,<br><p>An identity's lifecycle state has changed. Please check their AD account:</p>${accountName}
  • Templating Context:
    {"accountName.$":"$.hTTPRequest.body[0].name"}

Don’t forget to add an End Step - Success!

Outcome

Once you save and enable the workflow, the target address will receive this email each time an identity’s lifecycle state changes. Hope you found this helpful!

1 Like

I too am looking for an example to follow for the Query Parameters. I see where to enter the name and value for the parameters in the Query parameters section, but I’m unclear on how to set them in the URL

In case it helps someone else, I found that an inline variable like this did the trick.

/v3/identities/{{$.trigger.identity.id}}/set-lifecycle-state

Hi, perhaps a new thread should be started but trying here first.
It works fine to use as described in this guide, however I would like to not use my personal token. Instead I have created client credentials from global → security settings → API Management and gotten my credentials and set all possible scopes. But when I try using these credentials I get error 403, forbidden.
I have tried without setting scope and with “sp:scopes:default sp:scopes:all”.

Is it not possible to use this kind of credentials or am I doing something wrong? Since it works with my personal token I guess former…

Hi Jesper. Did you create your global security credentials using the CLIENT_CREDENTIALS grant type? If so, that is the reason you are seeing a 403. The OAuth client credentials grant type doesn’t have a user context, and therefore can’t access many of our APIs which do require a user context. Furthermore, the HTTP Action in Workflows doesn’t have support for the AUTHORIZATION_CODE grant type, which would provide a user context after logging into IDN.

You must use a PAT (personal access token) when authenticating to IDN APIs using the HTTP action.

1 Like

Hi Colin, yes I used client_credentials grant type. Alright I see, thank you for the quick response! Then I can stop looking for a “fix” for that and I will use PAT instead.

Hello Colin,

Thanks a lot, I also faced the same issue yesterday and after using PAT it got solved.
Is there any plans to leverage Global credentials for these operations in future?

Regards
Arjun

There are no plans as of now. A user context is required for the majority of our APIs, so it’s best to use PAT for automations.

1 Like